I wanted to pick your brains about the best way to manage updates for a large number of Debian hosts. In essence, what I would like to do would be the equivalent of Nessus or OpenVAS local security checks. Unfortunately, I have run into problems with both of these solutions. Nessus only performs local security checks against stable, and all of the hosts in question are running a snapshot of unstable. OpenVAS, OTOH, seems just plain broken. Apparently, from what I have been able to glean from the mailing list, it randomly picks either username/password or username/ssh credentials, and they are not sure why, or something. Well, in every case, it tells me that it won't do local security checks because no credentials (I am forced to use username/ssh keys) were provided.

So, I am at the point of reinventing the wheel. I have two criteria for which I would like to do an update. First (and probably most importantly) is to check against the DSAs and see if any installed package has an alert on it. Second would be a functionality issue, some critical package on a given server. I already know that this will have to be done manually. Thats not a problem. Setting up DSA or CVE checks against a couple of hundred servers on the other hand, is something that should be able to be automated without much trouble. What I am looking for is the best/most efficient approach.

I had thought about using something similar to apticron, however, there are two problems with this. First, it includes apt-listchanges, which, according to the man page, is supposed to sort the results by urgency, but in practice does not. I was considering parsing through that, but since the changelogs vary so much, it is less desirable than using the DSAs.

The second way I had thought about was to set up a puppet manifest to manage this. Unfortunately, I don't have puppet set up yet...

What are others using for this type of checks on a large number of servers?